There has arguably been no greater security vulnerability in modern times than the recent Meltdown and Spectre vulnerabilities that have been found to affect most of the modern CPUs that are used in today’s hardware. This includes Intel, AMD, ARM, etc. The scope of the vulnerabilities is quite broad and all-encompassing. The affected Intel product line seems to include all Intel processors produced since 1995! Unlike previous security bugs related to processors, this is not simply a software issue. The problem with Meltdown and Spectre vulnerabilities is much deeper. Inside the hardware itself, the actual silicon. This is not an easy problem to “fix” as a true resolution to the vulnerabilities will require the CPU manufacturers to create new processors that do not contain the vulnerabilities. It is not a feasible solution to imagine you can simply “rip and replace” every single CPU that exists in the datacenter with new processors. The fact of the matter is at this point, the new CPUs do not exist or at least have not been brought to market. To help mitigate these vulnerabilities, software patches from the operating system side have been introduced which change the way the operating system interacts with kernel memory. What are the specifics of Meltdown and Spectre vulnerabilities? How do the software patches mitigate the exploits? Why are backups important to consider before applying these software patches?
Meltdown and Spectre CPU Vulnerabilities
As mentioned the Meltdown and Spectre vulnerabilities are hardware related exploits. They allow a “user mode” process to gain access to protected kernel memory address space via what is called “speculative execution”. Speculative execution is a technology that allows today’s modern processors to “guess” or predict which instructions are most likely going to be needed in the near future as well as execute the instructions in the order that makes the most sense from a performance/efficiency perspective. This has allowed a tremendous performance increase over previous versions of processors that do not contain the speculative execution technology.
Intel has been primarily exposed in the area of speculative execution because its processors allow the speculative execution code to have privileged access to memory a user would never be allowed access to. Intel’s processors don’t check whether or not the memory being accessed by speculative execution is privileged memory (the area of memory that contains all the secret things we would never want user space code to be able to access – passwords, crypto keys, etc).
Intel CPUs vulnerable to Meltdown attack
The Spectre attack is also based on the speculative execution technology. However, it is exposed differently. It targets the memory space isolation that exists between applications as opposed to Meltdown “melting” the isolation between applications and the operating system. The Spectre attack is the exploit that affects roughly all the major CPU vendors that are relevant in today’s market including Intel, AMD, and ARM.
Spectre attack affects Intel, AMD, and ARM CPUs
The current “Common Vulnerabilities and Exposures (CVE) associated with the exploits are the following:
- CVE-2017-5715 – Spectre
- CVE-2017-5753 – Spectre
- CVE-2017-5754 – Meltdown
How Do the Software Patches Mitigate the Exploits?
As mentioned, this is a hardware issue that can only be solved in the final sense by producing new processors that no longer have the hardware defect included. However, for now, with the majority of the world’s CPUs at risk, employing software patches is the interim solution. Most of the major software vendors have scrambled to get software patches developed and released that change the way the kernel memory can be accessed by user space processes. Most of the major operating system vendors have released patches for their respective platforms.
Microsoft has released the following patches for Operating Systems:
- Windows 10
- Windows 8 and Windows Server 2012
- Windows 8.1 and Server 2012 R2— KB4056898 (issued 1/3/18)
- Windows Server 2012 – none available
- Windows 7 and Windows Server 2008
- Windows 7 SP1 and Server 2008 R2 SP1 — KB4056897 (issued 1/3/18)
- Windows 7 SP1 and Server 2008 R2 SP1 — KB4056894 (issued 1/4/18)
- Windows Server 2008 non-R2 version – none available
Apple has released the following:
- MacOS 10.13.2 and IOS 11.2 released in December address the issue.
- Supplemental updates were released – macOS 10.13.2 (rereleased) and IOS 11.2.2
Linux patches released:
- Linux Kernel 4.14.13
- 4.15 will include fixes for ARM64
- Patches also included in the stable 4.4 and 4.9 kernels
VMware has released the following:
- https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
- https://kb.vmware.com/s/article/52085
Why are Backups Important with the Meltdown and Spectre Patches?
As important as it is to patch affected production systems, there have already been problems and critical stability issues found with recently released patches. Additionally, performance impacts of the initial patches can result in 5-30% less performance in patched systems. The following sightings have already been found with the initial patch releases.
- Microsoft has noted reports from AMD customer devices getting blue screens of death (BSODs) after installing patches released
- Intel released a statement of reports from customers of system instability after applying the initial firmware updates. The affected systems were specifically running Intel Broadwell and Haswell CPUs.
- VMware retracted their initial microcode updates that were released after the Intel sightings related to Broadwell and Haswell CPUs
It is evident that the software patches are getting rushed out the door without a lot of vigorous testing, due to the nature of the criticality of this vulnerability. Everyone is trying to quickly patch Meltdown and Spectre security holes to remove any responsibility of security compromise. With the possibility as already noted of system instability, backups of business-critical systems are imperative!
Enterprise datacenters certainly need effective and efficient data backups, offsite DR, as well as replication to ensure minimal downtime due to any instability or other disaster related event. Vembu BDR Suite is an enterprise and cloud ready data protection solution that provides state of the art data protection to enterprises today. It enables recovering from data loss and allows organizations to maintain business continuity no matter what the cause of the downtime.
In the upcoming weeks and months, there will no doubt be other software patches released and firmware updates pushed via various hardware vendors. Organizations must proceed with caution and with a good DR and Business Continuity plan in place.
Concluding Thoughts
The Meltdown and Spectre exploits are some of the most critical hardware security related vulnerabilities that have ever been exposed. The sheer span of vulnerable processors is mind boggling. Software and hardware vendors alike will be pushing even more software patches to help patch newly found aspects of the vulnerabilities and to improve performance of the first iterations of patches. Using a data protection solution such as Vembu BDR Suite that is able to protect data on both virtual and physical systems is imperative. Organizations moving forward with patching vulnerable systems while taking the risk of any resulting system instability must leverage capable data protection solutions to maintain business-continuity.
Experience modern data protection with this latest Vembu BDR Suite v.3.9.0 FREE edition. Try the 30 days free trial here: https://www.bdrsuite.com/vembu-bdr-suite-download/
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.